Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

DETAILED ACTION
Response to Amendment
This is a reply to the application filed on 03/22/2021, in which, claim(s) 1, 3-12 and 14-24 is/are pending. 
Claim(s) 2, 13 is/are cancelled. 
Claim(s) 23-24 is/are newly added.

Response to Arguments
Claim Rejections - 35 U.S.C. § 112:
Applicants’ arguments with respect to 112 2nd paragraph with rejection of claim(s) 12-22 have been fully considered and are not persuasive.
The Applicant amending the claim to remove the term “for” does not overcome the means plus function rejection. The Examiner suggest to add in “processor and memory” to the devices/system and indicates that the processor executes the application and perform the functions to overcome the rejection.

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicant’s arguments with respect to the rejection of claim(s) 1, 3-12 and 14-24 have been considered but are moot in view of the new ground(s) of rejection.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim(s) 12-22 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim limitations “user devices executing…, a security policy system monitoring…” in claim 12 are limitations that invoke 35 U.S.C. 112, sixth paragraph. The written description only implicitly or inherently sets forth the corresponding structure, material, or acts that perform the claimed function.
Pursuant to 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181, applicant should:
(a)          Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112, sixth paragraph; or
(b)          Amend the written description of the specification such that it expressly recites the corresponding structure, material, or acts that perform the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c)           State on the record what corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-6 and 8-24 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Zhou et al. (Pub. No.: US 2011/0185417 A1 - IDS; hereinafter Zhou) in view of Das et al. (Pub. No.: US 2013/0097660 A1 – IDS; hereinafter Das) further in view of Harmonen (Pub. No.: US 2012/0017275 A1).
Regarding claims 1, 12 and 23, Zhou discloses a method for identifying polymorphic malware on user devices, the method comprising:

determining the fingerprints of the known malware based on observed behavior of the malware, wherein the observed behaviors of the known malware represent actions performed by the known malware (hash of file behaviors or codes that are executed in memory [Zhou; Fig. 3-5 and associated text]);
comparing the fingerprints of the applications to fingerprints of known malware (compared the hash to the stored hash, if it is a match, whitelist it, if not and the score is below a value, blacklist it [Zhou; Fig. 3-5 and associated text]);
determining if any fingerprints of the application are similar to fingerprints of known malware (comparing of hash to determine if it is clean or malicious [Zhou; Fig. 3-5 and associated text]); and
applying security policies to the applications when the fingerprints of the application are similar to fingerprints of known malware (action taken when file is blacklisted [Zhou; Fig. 3-5 and associated text]).
Zhou teaches whitelists unknown files for execution on the system.  The whitelisting module may oversee the computation of a hash of a file loaded into the memory and comparison of the hash to hashes within a hash table generated from clean files located on a clean system.  The whitelisting module may communicate to a device internal and/or external to the system to retrieve the hash table of clean files. Zhou does not explicilty discloses the comparing of fingerprint to the fingerprints from the blacklists; however, in a related and analogous art, Das teaches this feature.

Zhou-Das combination teaches creating hashing for file/application (e.g., csrss.exe) to determine if the files contain malicious contents, including identifying attributes of application and giving it reputation scores to better determine malware application. Zhou-Das combination does not explicilty discloses determining of behavior fingerprint of the application, wherein the behaviors of an application represent actions performed by the application; however, in a related and analogous art, Harmonen teaches this feature.
In particular, Harmonen teachers creating fingerprint of legitimate software applications for polymorphic malware, to determine if it is known/unknown and if they are clean or contain malware based on the fingerprint of the behaviours [Harmonen; ¶40, 51-56, 63-64]. It would have been obvious be at time of filing with the motivation to modify Zhou-Das combination in view of Harmonen to create hashes/fingerprints to also detect application’s behavior to detect malicious applications.

Regarding claims 3 and 14, Zhou-Das-Harmonen combination discloses further comprising identifying the applications as polymorphic variations of specific instances of the known malware based on behaviors exhibited by the specific instances of the known malware and the monitored behaviors of the applications (hash can be done based on file behaviors or codes [Zhou; Fig. 3-5 and associated text]).

claims 4 and 15, Zhou-Das-Harmonen combination discloses further comprising identifying polymorphic viruses based on whether applications with different file hashes as the known malware exhibit similar observed behaviors as the malware (hash is different [Zhou; Fig. 3-5 and associated text]).

Regarding claims 5 and 16, Zhou-Das-Harmonen combination discloses further comprising identifying unique applications that only occur on a single device as malware based on whether the unique applications exhibit similar observed behaviors as the malware (hash same in blacklist [Zhou; Fig. 3-5 and associated text]).

Regarding claims 6 and 17, Zhou-Das-Harmonen combination discloses wherein the polymorphic malware is malware that mutates to change contents of files containing the malware and/or behavior of the malware with respect to previous versions of the malware (hash same in blacklist [Zhou; Fig. 3-5 and associated text]).

Regarding claims 18 and 24, Zhou-Das-Harmonen combination discloses wherein the applications executing on the user devices are unknown applications, wherein the security policies are applied to the unknown application based on determining that less than a predetermined number of the one or more user devices execute the unknown application. (determine an unknown application is executed in memory, appropriate action is taken [Zhou; Fig. 3 – elements 313-321]).

claims 8 and 19, Zhou-Das-Harmonen combination discloses further comprising a security policy system receiving behavioral information from one or more user devices, the behavioral information indicating behaviors of the applications executing on the user devices (behavior when run [Zhou; Fig. 3-5 and associated text]).

Regarding claims 9 and 20, Zhou-Das-Harmonen combination discloses further comprising the security policy system storing the behavioral information from the one or more user devices in a behavioral history database (hash/checksum same as blacklist/whitelist database [Zhou; Fig. 3-5 and associated text] [Das; ¶31, 40, 82]). The motivation to faster identify malicious applications.

Regarding claims 10 and 21, Zhou-Das-Harmonen combination discloses wherein the applying security policies to the applications when the fingerprints of the application are similar to fingerprints of known malware comprises the security policy system updating the security policies based on the behavioral information, sending the updated security policies to the user devices, and security agent software executing on the user devices enforcing the updated security policies (enforcing the rules based on condition [Zhou; Fig. 3-5 and associated text]).

Regarding claims 11 and 22, Zhou-Das-Harmonen combination discloses wherein the monitored behaviors include forming network connections, making system application programming interface (API) calls, accessing, creating and loading files, changing system configurations including modifying system registry values, and/or monitoring user inputs .

Allowable Subject Matter
Claim(s) 7 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The following is an examiner’s statement of reasons for allowance: 
Dependent claim 7 are allowable over prior arts since the prior arts taken individually or in combination fails to particular discloses, fairly suggest or render obvious the following italic limitations:
In claim(s) 7:
“wherein at least one of the one or more applications executing on the one or more user devices is an unknown application, wherein the security policies are applied to the unknown application based on an age of the unknown application, the method further comprising calculating a trust score of the unknown application based on the age of the unknown application.” in combination with other limitations recited as specified in the independent claim(s).

Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http:ljwww.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

	

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DAO Q HO/Primary Examiner, Art Unit 2432